An example Santa FAA rule that prevents Spotlight Importers from Being Added to Stop the Patrick Wardle's persistence trick and Sploitlight (CVE-2025-31199)
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Version</key>
<string>Lockdown Spotlight importers</string>
<key>WatchItems</key>
<dict>
<!-- Block unauthorized Spotlight plugin installations (Sploitlight protection) -->
<key>SploitlightProtection</key>
<dict>
<key>Paths</key>
<array>
<dict>
<key>Path</key>
<string>/Users/*/Library/Spotlight</string>
<key>IsPrefix</key>
<true/>
</dict>
<dict>
<key>Path</key>
<string>/Users/*/Library/Spotlight</string>
<key>IsPrefix</key>
<true/>
</dict>
</array>
<key>Options</key>
<dict>
<key>AllowReadAccess</key>
<true/>
<key>AuditOnly</key>
<false/>
<key>EnableSilentMode</key>
<true/>
</dict>
<key>Processes</key>
<array>
<dict>
<key>SigningID</key>
<string>com.apple.mds</string>
<key>PlatformBinary</key>
<true/>
</dict>
<dict>
<key>SigningID</key>
<string>com.apple.mdworker</string>
<key>PlatformBinary</key>
<true/>
</dict>
<dict>
<key>SigningID</key>
<string>com.apple.mdworker_shared</string>
<key>PlatformBinary</key>
<true/>
</dict>
<dict>
<key>SigningID</key>
<string>com.apple.mdimport</string>
<key>PlatformBinary</key>
<true/>
</dict>
<dict>
<key>SigningID</key>
<string>com.apple.installer</string>
<key>PlatformBinary</key>
<true/>
</dict>
</array>
</dict>
</dict>
</dict>
</plist>Note: In the Sploitlight write up they talk about reading files you can additionally make Santa FAA rules to lockdown those databases even from Spotlight and use silent blocks to prevent users from seeing dialogs.
e.g.
<!-- Protect Apple Intelligence databases from Sploitlight data exfiltration -->
<key>Example Protection of the AppleIntelligence Databases</key>
<dict>
<key>Paths</key>
<array>
<dict>
<key>Path</key>
<string>/Users/*/Pictures/Photos Library.photoslibrary</string>
<key>IsPrefix</key>
<true/>
</dict>
</array>
<key>Options</key>
<dict>
<key>AllowReadAccess</key>
<false/>
<key>AuditOnly</key>
<false/>
<key>EnableSilentMode</key>
<true/>
</dict>
<key>Processes</key>
<array>
<dict>
<key>SigningID</key>
<string>com.apple.Photos</string>
<key>PlatformBinary</key>
<true/>
</dict>
<dict>
<key>SigningID</key>
<string>com.apple.photoanalysisd</string>
<key>PlatformBinary</key>
<true/>
</dict>
<dict>
<key>SigningID</key>
<string>com.apple.MediaAnalysis</string>
<key>PlatformBinary</key>
<true/>
</dict>
<dict>
<key>SigningID</key>
<string>com.apple.photolibraryd</string>
<key>PlatformBinary</key>
<true/>
</dict>
<dict>
<key>SigningID</key>
<string>com.apple.assetsd</string>
<key>PlatformBinary</key>
<true/>
</dict>
<dict>
<key>SigningID</key>
<string>com.apple.cloudphotod</string>
<key>PlatformBinary</key>
<true/>
</dict>
<dict>
<key>SigningID</key>
<string>com.apple.intelligenceplatformd</string>
<key>PlatformBinary</key>
<true/>
</dict>
<dict>
<key>SigningID</key>
<string>com.apple.knowledgeconstructiond</string>
<key>PlatformBinary</key>
<true/>
</dict>
<dict>
<key>SigningID</key>
<string>com.apple.XProtectFramework.plugins.*</string>
<key>PlatformBinary</key>
<true/>
</dict>
</array>
</dict>